A whitelist is used to restrict access to specified IP addresses and specified IP segments. You cannot access a database unless a whitelist is set. We recommend that you periodically check and adjust your whitelists according to your requirements to maintain RDS security. This document provides the necessary information and procedure to set the whitelist.
Background information
You can access the RDS instances through the intranet, the Internet, or both of the intranet and Internet. For more information on the applicable scenarios of each connection type (intranet and Internet), see the Background information of Set intranet and Internet addresses.
Before setting the connection type, you must add the IP addresses or IP segments of your application service or the ECS instance to the whitelist of RDS instance. When the whitelist is set, the system automatically generates the intranet address for the RDS instance. If you need an Internet address, see Apply for an Internet address.
Note: If you cannot connect to the RDS instance after adding the application service IP address to the whitelist, you must obtain the actual IP address of the application service.
Attentions
The system automatically creates a default whitelist group for each newly created RDS instance. This default whitelist group can only be modified or cleared, but cannot be deleted.
For each newly created RDS instance, the local loopback IP address 127.0.0.1 is added to the default whitelist group by default. This means that all the IP addresses or IP segments are prohibited to access this RDS instance. Therefore, you must delete 127.0.0.1 from the default whitelist group first, before you add other IP addresses or IP segments to the RDS whitelist.
% or 0.0.0.0/0 indicates any IP address is allowed to access the RDS instance. This configuration greatly reduces the security of the database and is not recommended.
Procedure
Log on to the
RDS console .Select the region where the target instance is located.
Click the name of the target instance to go to the Basic Information page.
Select Security Controls in the left-side navigation pane to enter the Security Controls page.
On the Whitelist Settings tab page, click Modify of the default whitelist group, as shown in the following figure.
Note: If you want to add a custom whitelist group to the RDS instance, you can click Clear of the default whitelist group to delete the IP address 127.0.0.1 first, and then click Add a Whitelist Group. The setting steps for a custom whitelist are similar to the following steps.
On the Modify Group page, add the IP addresses or IP segments to access the RDS instance to Whitelist field. If you want to add the ECS intranet IP addresses, click Upload ECS Intranet IP Address and select the IP addresses according to the prompt, as shown in the following picture.
Parameters description:
Group Name: it can contain 2 to 32 characters including lowercase letters, digits, or underscores. The group name must start with a lowercase letter and end with a letter or digit. This name cannot be modified once the whitelist group is successfully created.
Whitelist: enter the custom IP addresses or IP segments that can access the RDS instance.
If you enter an IP segment, such as 10.10.10.0/24, it indicates that any IP address in the format of 10.10.10.X can access the RDS instance.
If you want to enter multiple IP addresses or IP segments, separate them by commas (,) (do not add blank spaces), such as 192.168.0.1,172.16.213.9.
- For each whitelist group, up to 1,000 IP addresses or IP segments can be set for MySQL, PostgreSQL, and PPAS instances; and up to 800 can be set for SQL Server instances.
Upload ECS intranet IP Address: by clicking this button, you can select the intranet IP addresses of the ECS instances under the same account with the RDS instance, which is a quick method to add ECS intranet IP addresses.
Click OK.
Modify or delete the whitelist group
You can modify or delete the whitelist group according your business requirements. The detailed procedure is as follows:
Log on to the
RDS console .Select the region where the target instance is located.
Click the name of the target instance to go to the Basic Information page.
Select Security Controls in the left-side navigation pane to enter the Security Controls page.
On the Whitelist Settings tab page, click Modify or Delete button of the target whitelist group.
Click OK after you modify the IP addresses or IP segments. Or click Confirm if you are sure that it is the whitelist group to be deleted.